• Current Events & Politics
    Welcome Guest
    Please read before posting:
    Forum Guidelines Bluelight Rules
  • Current Events & Politics Moderators: deficiT | tryptakid | Foreigner

Encypting communciations

Foreigner

Moderator: CE&P
Staff member
Joined
Mar 18, 2009
Messages
8,646
Location
The Cosmos
Now that big brother is everywhere online, I'm keen to begin encrypting my communications. It's not that I am up to illegal activities, but just knowing that my data could be logged in some database for later referencing really bugs me. But I'm not sure how to begin with encryption protocols.

I've started using startpage for anonymous web searches, and I recently discovered the Firefox plugin Cryptocat for having encrypted conversations with people online.

But I also want to have regular chat software like Skype, MSN, AIM, etc. that has encrypted features where I can sign in under a dedicate name all the time. I've heard that Pidgin supports some encryption protocols, but I haven't really looked into it.

In regards to e-mail, I'm at a loss there. I've used gmail for years but it's no longer secure. Hushmail is now being served warrants by the U.S. government which it has to obey or have its servers seized. Mega (the same group that did Megaupload) is working on encrypted e-mail with an easy interface, but until then I don't know of alternatives. I've considered PGP keys before but I found the whole thing too complicated, and I heard a rumor that the U.S. government cracked them years ago.

In regards to web surfing, I know Tor is the go-to, but I don't think the network is that secure anymore. Unless I'm mistaken.

To summarize, I'm looking for user-friendly encryption protocols for:
- online chat
- e-mail
- buddylist software (like pidgin)
- web surfing / searching

Can anyone help me out with this?
 
email: gnupg (open source port of pgp)
chat: pidgin OTR plugin
web: use ssl wherever possible and make sure to check the certificates. avoid tor except for onion sites. (people can sniff traffic on exit nodes)

as of yet nobody has disclosed the breaking of rsa keys >1024 bits long, nor an attack on full AES. pgp is still safe if you set your keys up right and aren't an idiot with plaintext disclosure.

if using gnupg is too much for you there are also plugins for e.g. thunderbird that can handle it.

there is also the question of anonymity versus unreadability. most encryption doesn't make you anonymous it just obfuscates the traffic between 2 points. services like tor provide anonymity as well.
 
Last edited:
I've started using startpage for anonymous web searches, and I recently discovered the Firefox plugin Cryptocat for having encrypted conversations with people online.

Regarding Cryptocat.

Pidgin OTR plugin is A+ but your contacts also need to have it and, unfortunately, most people don't seem to give a fuck about privacy. I still use the MSN proto via Pidgin but otherwise the MSN client has been kicked to the curb and everyone forced to migrate to Skype.

Unfortunately, encryption is just not worth it for day-to-day communications. It's like pulling teeth to get any of your contacts to get on that level with you, and even if they do, unless they're really into it they will "forget" (read: DILLIGAF?) and give up on it in a day or two.

Another issue is that using non-standard (read:strong) encryption protos will likely flag your activities for closer scrutiny by anyone who may incidentally be watching you. It's like sending up a flare that you've got shit to hide, otherwise why the fuck would you be going through all the trouble, right? Keep in mind even the metadata that the NSA collects flows in torrents (as in a deluge, not as in the protocol) from your networked devices so the best way to guarantee you fly under the radar would be to get familiar with protos, do you own traffic audits (Wireshark is a great tool for this) and try to keep the traffic looking normal.

As for web surfing protection, there are plenty of steps you can take. One would be using HTTPS Everywhere, a browser plugin that automatically points you to the HTTPS version of a site if one exists. Handy for client-to-server encryption of stuff like Wikipedia searches. My personal favorite option is setting up a server with SSH so you can tunnel to it, very handy if you use open WiFi a lot because it prevents your traffic from being beamed out in plaintext letting any kid with a laptop nearby scoop your cookies and jack your BL session. Because of all the commercial uses for SSH, it's a common proto in use and as such pretty unlikely to get flagged as irregular traffic. There are great SSH tools for Android so if you have a smartphone you can do shit like remotely run scripts and all kinds of other cool stuff if you are so inclined. The sky's the limit, but generally the more secure your solution the more of a PITA it is to setup and administer, makes Cryptocat look like Playskool.
 
For p2p messaging try Bitmessage
Still very new tech, but very promising IMO
Bitmessage is a P2P communications protocol used to send encrypted messages to another person or to many subscribers. It is decentralized and trustless, meaning that you need-not inherently trust any entities like root certificate authorities. It uses strong authentication which means that the sender of a message cannot be spoofed, and it aims to hide "non-content" data, like the sender and receiver of messages, from passive eavesdroppers like those running warrantless wiretapping programs
Nice how to here
A mix email/bitmessage service with annonymous sign up @bitmessage.ch
If you want to test it out, PM me.
 
Last edited:
Thanks for the info regarding Cryptocat. That's a bummer. Though their site says it affects group chat only, not 1-on1 chat:
https://blog.crypto.cat/2013/07/new-critical-vulnerability-in-cryptocat-details/

I found this program for mobile phones that encrypts content and let's you delete your content from someone else's phone. Not sure how it works exactly but maybe it's worth a try?

https://www.surespot.me/

Also discovered that Startpage is run by prudes, as it censors anything sex or drugs related.
 
Last edited:
Thanks for the info regarding Cryptocat. That's a bummer. Though their site says it affects group chat only, not 1-on1 chat:
https://blog.crypto.cat/2013/07/new-critical-vulnerability-in-cryptocat-details/

I found this program for mobile phones that encrypts content and let's you delete your content from someone else's phone. Not sure how it works exactly but maybe it's worth a try?

https://www.surespot.me/

Also discovered that Startpage is run by prudes, as it censors anything sex or drugs related.

I wouldn't trust cryptocat with any sensitive communications when there are alternatives with a longer historical use which are known to be relatively secure (OTR/PGP).
Surespot and others (Threema, Wickr) promise something they can't deliver (control of content not under their control). Whilst the messages may delete after a set period of time, there is nothing stopping someone altering their device to prevent this happening or taking a photo of the message displayed on screen. You are also putting all of your trust in a centralised service not under your control. Why would you trust them to not give in to external pressure? What happens if their servers are compromised (iMessage/NSA)?

I will stick with XMPP/OTR over VPN/TOR and Openpgp and keep playing with bitmessage for now.
 
I'm a little behind the times so let me ask...why is Tor no longer secure?

check it. there have been rumours about FBI operating exit nodes so that would potentially move some of these proof-of-concepts into the realm of plausible usage.

Agreed with tragiclemming, like my biggest beef with Cryptocat and any easy-mode crypto solutions is that they often rely on an authentication server which can be compromised either by lawmen or hackers. The only truly reliable encryption is a scheme where only the sender and recipient get to see anything in plaintext. Pidgin+OTR is pretty much the only easy implementation I've seen that has no obvious flaws. As long as you aren't storing the chat logs in plaintext, only you and the recipient know how to decrypt the messages and only an encrypted data stream leaves your port and finds its way onto the internet.

When you add the potential need for anonymity as well, things get a bit more complex. For example, even if you take your laptop out to some public WiFi spot far the hell away and use a VPN, there is still a chance you could have applications running that leak data which could be used to identify you if it matches a previously-known traffic profile. That's one of the big reasons I prefer SSH to VPNs. Not only is it easier to get running, its use is limited to tunneling data contained to specific applications so all the other junk flows past your super secret tunnel instead of through it.

I'm not that interested in hardcore crypto but if anyone wants to talk technical about network anonymity feel free to shoot me a PM as it's a hobby of mine. If I tried to explain here how I route my traffic to BL it would definitely make this a TL;DR post (I know, I know, it already is)
 
When you add the potential need for anonymity as well, things get a bit more complex. For example, even if you take your laptop out to some public WiFi spot far the hell away and use a VPN, there is still a chance you could have applications running that leak data which could be used to identify you if it matches a previously-known traffic profile. That's one of the big reasons I prefer SSH to VPNs. Not only is it easier to get running, its use is limited to tunneling data contained to specific applications so all the other junk flows past your super secret tunnel instead of through it.
Chained services (SSH/VPN/SOCKS) are also good options. I like VPN>VPN>TOR :)
Trust services you control. That means "roll your own" mailserver, VPN and chat (jabber/xmpp) all of which are services easily installed/configured with a bit of help from google. All of these services can be run on a low spec server under your physical control or VPS purchased anonymously. Email and IM are well established protocols that everyone has access to. The hardest part will be convincing others to use OTR and PGP in conjunction with these services.

Did I mention Bitmessage ;) yet?
Public key cryptography explained with paint and why your messages are secure on the wire
 
Last edited:
I wouldn't trust cryptocat with any sensitive communications when there are alternatives with a longer historical use which are known to be relatively secure (OTR/PGP).

Could you explain the basis of OTR/PGP and how to use it, or point me to a link that describes it? Note: I'm pretty much an idiot when it comes to this kind of stuff so the beginner's breakdown would be appreciated.
 
http://www.pidgin.im/ for the chat client (works with most popular services)
http://www.cypherpunks.ca/otr/ for the OTR plugin

The FAQ is supposed to cover the following but I didn't see it on a quick skim so:

1) Other party must also be using a client with OTR enabled
2) Disable chat logging to prevent information being saved in plaintext on your local machine
 
I use pidgin with off the record plugin for messaging and www.countermail.com as email with extra encrypted USB key option. So far it has made me feel quite safe. I also use TrueCrypt to encrypt/hide my files.
 
But I also want to have regular chat software like Skype, MSN, AIM, etc. that has encrypted features where I can sign in under a dedicate name all the time. I've heard that Pidgin supports some encryption protocols, but I haven't really looked into it.


Jitsi
 
- online chat- pidgin.im + OTR (http://www.cypherpunks.ca/otr/)

Make sure you set it up so that it goes through tor.

- e-mail- gpg (gpg4win.org, depends on OS, hopefully you aren't using windows but you probably are)

I don't recomend using thunderbird as tor says there still may be revealing data leaks. Better to just use GPA, clip board, and the copy and paste function to send mail via torbrowser. It is also important that you choose a secure email provider such as autistici.org or riseup.net.

- buddylist software (like pidgin)- see online chat

- web surfing / searching- the email providers listed above actually provide free openVPN, neither keeps logs. If you're willing to kick out a couple bucks ipredator.se is fantastic. VPNs are a must for file sharing, watching videos, ect. I use torbrowser to browse, send emails, chat, etc but I have a VPN on constantly. You should use firefox to browse and install the add-ons https everywhere, ghostery, and adblock plus. Besides preventing you from being tracked ghostery and adblock plus also have the added benifit of making it so that you never see an ad again. Https everywhere will make sure if the website you are visiting offers ssl you connect using it.

Besides this you are going to want to use full disk encryption for windows trucrypt works great, for linux the kernal comes with dm-crypt. Niether are hard to set up, choose a long password (full sentences with numbers + abreviated words + random capital letters). Trucrypt is also useful for encrypting files.

Lastly if you do use windows you may want to change to a more secure OS. Linux is great and the newer version of ubuntu offers full disk encryption during set up and is easy to use once you get the hang of it. Everything is free for the most part software wise.

If you want help setting any of this up PM me and I'll drop you my XMPP address and I'll help you next time we're both on at the same time.
 
Last edited:
Top